HPE Community
Operating System - HP-UX
1819803 Members
2865 Online
109607 Solutions
New Discussion юеВ

Best practice to validate a user/pwd combination on trusted mode ?

 
SOLVED
Go to solution
Andreas Klaer
Valued Contributor

тАО01-31-2001 04:42 AM

тАО01-31-2001 04:42 AM

Best practice to validate a user/pwd combination on trusted mode ?

Hello,

I have an application where I want to check a unix user user/passwd combination on a system running in trusted mode. Since the tcb password database is not accessible, I would like to know the best practice to achieve this.

Regards & thanks,

Andreas.
Andreas Klaer
0 Kudos
Reply
5 REPLIES 5
Edward Sedgemore
Trusted Contributor

тАО01-31-2001 05:20 AM

тАО01-31-2001 05:20 AM

Re: Best practice to validate a user/pwd combination on trusted mode ?


You need to use the getprpw and modprpw commands, see attached manpages for them.

0 Kudos
Reply
Dan Hetzel
Honored Contributor

тАО01-31-2001 05:24 AM

тАО01-31-2001 05:24 AM

Re: Best practice to validate a user/pwd combination on trusted mode ?

Hi Andreas,

Not sure to understand what you want to achieve.
Could you please explain?

Dan
Everybody knows at least one thing worth sharing -- mailto:dan.hetzel@wildcroft.com
0 Kudos
Reply
Andreas Klaer
Valued Contributor

тАО01-31-2001 06:53 AM

тАО01-31-2001 06:53 AM

Re: Best practice to validate a user/pwd combination on trusted mode ?

I'll try to explain it better.

I have a web based application that requires a user authentication related to an existing unix account of the application user.

I require that the user logs in providing his unix user name and password. So the web server has to prove if the password is correct. My question how to achive this in the best manner.

The current solution implements a script that uses crypt to encrypt the password that was entered by the user and compares it to the /etc/passwd entry. Regarding trusted mode I face the problem that the crypted password is naturally only accessible to root. To solve this issue I've implemented a small binary based on getprpwd() that verifies the password against the password database. But AFAK this binary must run with uid 0 to access the pwd database, so I've using the set-uid-on-file bit on that executable - not a nice solution.

Any help is appreciated,

Regards,

Andreas.
Andreas Klaer
0 Kudos
Reply
Dan Hetzel
Honored Contributor

тАО01-31-2001 07:06 AM

тАО01-31-2001 07:06 AM

Re: Best practice to validate a user/pwd combination on trusted mode ?

Hi Andreas,

This sounds clearer !

I'm afraid that you won't be able to avoid your 'setuid root' program to access the password database.

That's all a trusted system is about, i.e. prevent an unauthorized user to read the encrypted password.

All the best,

Dan
Everybody knows at least one thing worth sharing -- mailto:dan.hetzel@wildcroft.com
0 Kudos
Reply
Steve Faidley
Valued Contributor

тАО02-01-2001 07:15 PM

тАО02-01-2001 07:15 PM

Solution

Re: Best practice to validate a user/pwd combination on trusted mode ?

There is another way. Use a script run by root cron to create a non trusted like passwd file from the tcb database and place it in a directory only accessable by the UID that your program runs under. I have such a script if you want to try it.
If it ain't broke, let me have a look at it.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.